Closed ARRY7686 closed 1 month ago
ARRY7686
commented
1 month ago Hey @jkowalleck Resubmitting the PR really sorry for the errors in previous one, I have tried my best this time, just forgot to signoff the branch will do it at the earliest once you approve that the changes are valid.
jkowalleck
commented
1 month ago supersedes #1222
jkowalleck
commented
1 month ago @ARRY7686 , please follow our contribution guidelines.
Please sign off your commits, to show that you agree to publish your changes under the current terms and licenses of the project , and to indicate agreement with Developer Certificate of Origin (DCO). read more here: https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/CONTRIBUTING.md#sign-off-your-commits
see instructions on how to sign-off already pushed commits here: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1222/checks?check_run_id=30938492442
jkowalleck
commented
1 month ago I am closing this pull request.
The changes do not have any effect on the code, nor do they affect the result.
jkowalleck
commented
1 month ago feel free to open another pull request that actually solves #1222
Description:
This pull request addresses the issue https://github.com/CycloneDX/cyclonedx-node-npm/issues/1151, where devDependencies in the Software Bill of Materials (SBOM) were incorrectly marked as required. According to the CycloneDX specification, devDependencies should be marked with the excluded scope since they are not required at runtime but used for development or testing purposes.
Changes Implemented:
Modified the makeComponent method in src/builders.ts to set the scope of devDependencies to excluded. Added a conditional check for dev dependencies, ensuring they are marked as excluded in the generated SBOM. Commented out the original logic that omitted devDependencies entirely, which was not compliant with the SBOM specification.
Testing Performed:
Verified the SBOM generation for projects with both regular and devDependencies. Ensured that regular dependencies are marked as required and devDependencies are correctly marked as excluded in the generated SBOM.
All the tests have been passed
Issue Reference: This pull request fixes https://github.com/CycloneDX/cyclonedx-node-npm/issues/1151.